mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Add support for OpenSSH 6.2.
Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config on openssh-server update. https://fedorahosted.org/freeipa/ticket/3571
This commit is contained in:
parent
5d6a9d3bef
commit
ddd8988f1c
@ -570,6 +570,42 @@ if [ $1 -gt 1 ] ; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
%triggerin -n freeipa-client -- openssh-server
|
||||||
|
# Has the client been configured?
|
||||||
|
restore=0
|
||||||
|
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
|
||||||
|
|
||||||
|
if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
|
||||||
|
if egrep -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
|
||||||
|
sed -r '
|
||||||
|
/^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
|
||||||
|
' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
|
||||||
|
|
||||||
|
if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
|
||||||
|
sed -ri '
|
||||||
|
s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
|
||||||
|
s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
|
||||||
|
' /etc/ssh/sshd_config.ipanew
|
||||||
|
elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
|
||||||
|
sed -ri '
|
||||||
|
s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
|
||||||
|
s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
|
||||||
|
' /etc/ssh/sshd_config.ipanew
|
||||||
|
elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
|
||||||
|
sed -ri '
|
||||||
|
s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
|
||||||
|
s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
|
||||||
|
' /etc/ssh/sshd_config.ipanew
|
||||||
|
fi
|
||||||
|
|
||||||
|
mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
|
||||||
|
/sbin/restorecon /etc/ssh/sshd_config
|
||||||
|
chmod 600 /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
/bin/systemctl condrestart sshd.service 2>&1 || :
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
%if ! %{ONLY_CLIENT}
|
%if ! %{ONLY_CLIENT}
|
||||||
%files server -f server-python.list
|
%files server -f server-python.list
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
@ -799,6 +835,9 @@ fi
|
|||||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Apr 30 2013 Jan Cholasta <jcholast@redhat.com> - 3.1.99-8
|
||||||
|
- Add triggerin scriptlet to update sshd_config on openssh-server update
|
||||||
|
|
||||||
* Thu Apr 25 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.99-7
|
* Thu Apr 25 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.99-7
|
||||||
- Update nss and nss-tools dependency to fix certutil problem (#872761)
|
- Update nss and nss-tools dependency to fix certutil problem (#872761)
|
||||||
|
|
||||||
|
@ -64,6 +64,10 @@ CLIENT_NOT_CONFIGURED = 2
|
|||||||
CLIENT_ALREADY_CONFIGURED = 3
|
CLIENT_ALREADY_CONFIGURED = 3
|
||||||
CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state
|
CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state
|
||||||
|
|
||||||
|
SSH_AUTHORIZEDKEYSCOMMAND = '/usr/bin/sss_ssh_authorizedkeys'
|
||||||
|
SSH_PROXYCOMMAND = '/usr/bin/sss_ssh_knownhostsproxy'
|
||||||
|
SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts'
|
||||||
|
|
||||||
client_nss_nickname_format = 'IPA Machine Certificate - %s'
|
client_nss_nickname_format = 'IPA Machine Certificate - %s'
|
||||||
|
|
||||||
def parse_options():
|
def parse_options():
|
||||||
@ -1212,9 +1216,9 @@ def configure_ssh_config(fstore, options):
|
|||||||
if options.trust_sshfp:
|
if options.trust_sshfp:
|
||||||
changes['VerifyHostKeyDNS'] = 'yes'
|
changes['VerifyHostKeyDNS'] = 'yes'
|
||||||
changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
|
changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
|
||||||
elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'):
|
elif options.sssd and file_exists(SSH_PROXYCOMMAND):
|
||||||
changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
|
changes['ProxyCommand'] = '%s -p %%p %%h' % SSH_PROXYCOMMAND
|
||||||
changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts'
|
changes['GlobalKnownHostsFile'] = SSH_KNOWNHOSTSFILE
|
||||||
|
|
||||||
change_ssh_config(ssh_config, changes, ['Host'])
|
change_ssh_config(ssh_config, changes, ['Host'])
|
||||||
root_logger.info('Configured %s', ssh_config)
|
root_logger.info('Configured %s', ssh_config)
|
||||||
@ -1237,25 +1241,42 @@ def configure_sshd_config(fstore, options):
|
|||||||
'UsePAM': 'yes',
|
'UsePAM': 'yes',
|
||||||
}
|
}
|
||||||
|
|
||||||
if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'):
|
if options.sssd and file_exists(SSH_AUTHORIZEDKEYSCOMMAND):
|
||||||
authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys'
|
authorized_keys_changes = None
|
||||||
(stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
|
|
||||||
'-o', 'AuthorizedKeysCommand=%s' % authorized_keys_command], raiseonerr=False)
|
candidates = (
|
||||||
if retcode == 0:
|
{
|
||||||
changes['AuthorizedKeysCommand'] = authorized_keys_command
|
'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND,
|
||||||
changes['AuthorizedKeysCommandRunAs'] = None
|
'AuthorizedKeysCommandUser': 'nobody',
|
||||||
else:
|
},
|
||||||
authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys %u'
|
{
|
||||||
(stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
|
'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND,
|
||||||
'-o', 'PubKeyAgent=%s' % authorized_keys_command], raiseonerr=False)
|
'AuthorizedKeysCommandRunAs': 'nobody',
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'PubKeyAgent': '%s %%u' % SSH_AUTHORIZEDKEYSCOMMAND,
|
||||||
|
'PubKeyAgentRunAs': 'nobody',
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
|
for candidate in candidates:
|
||||||
|
args = ['sshd', '-t', '-f', '/dev/null']
|
||||||
|
for item in candidate.iteritems():
|
||||||
|
args.append('-o')
|
||||||
|
args.append('%s=%s' % item)
|
||||||
|
|
||||||
|
(stdout, stderr, retcode) = ipautil.run(args, raiseonerr=False)
|
||||||
if retcode == 0:
|
if retcode == 0:
|
||||||
changes['PubKeyAgent'] = authorized_keys_command
|
authorized_keys_changes = candidate
|
||||||
changes['PubkeyAgentRunAs'] = None
|
break
|
||||||
else:
|
|
||||||
root_logger.warning("Installed OpenSSH server does not " +
|
if authorized_keys_changes is not None:
|
||||||
"support dynamically loading authorized user keys. " +
|
changes.update(authorized_keys_changes)
|
||||||
"Public key authentication of IPA users will not be " +
|
else:
|
||||||
"available.")
|
root_logger.warning("Installed OpenSSH server does not "
|
||||||
|
"support dynamically loading authorized user keys. "
|
||||||
|
"Public key authentication of IPA users will not be "
|
||||||
|
"available.")
|
||||||
|
|
||||||
change_ssh_config(sshd_config, changes, ['Match'])
|
change_ssh_config(sshd_config, changes, ['Match'])
|
||||||
root_logger.info('Configured %s', sshd_config)
|
root_logger.info('Configured %s', sshd_config)
|
||||||
|
Loading…
Reference in New Issue
Block a user